Category Archives: social networking

I’m back from the RSA conference and how exhausting. Understandable considering there were 17,000 people at the show—all focused on the security industry.

In case you didn’t see it, we made an announcement during RSA about our partnership with Upek, a biometrics company based in the Bay area.What I find exciting about this partnership is that it shows just how complimentary our solutions are with other authentication technologies.In a whitepaperwe published over a year ago we showed a diagram of where identity verification fits in the puzzle and how it is central to other verification tools.

Biometrics in an online environment falls into this sphere and requires a proofing solution because what good does it do to enroll someone’s fingerprints if the fingerprints aren’t those of the person he/she is claiming to be?This is why we decided to show the power of our two technologies working together through a joint demonstration.

Another observation from RSA is that there continues to be a lot of interest and discussion about age verification and social networks. If you recall, last year there was a panel session called Pandora’s Box discussing child safety and the Internet. Admittedly this year I didn’t attend the sessions as much since we were an exhibitor, but based on the questions and discussions on the show floor, it is clear people are concerned and also aware of the Internet Safety Technical Task Force.

Zach Martin, editor of CR80 News recently published an article about the identity and age verification issues we are facing in social networks.You definitely should check it out but in case you don’t have time here are some important highlights:

When trying to get into a bar or club there is typically someone at the door checking IDs. But on social networking sites there is no bouncer, which means there’s no way to tell whether you’re corresponding with a 15-year-old girl or a 32-year-old man.

It’s the same no matter where you go. MySpace, Facebook, and professional networking site LinkedIn, do little to make sure people are who they claim to be. “There is a general feeling that social networking is the wild west of identity management and a lot of bad things happen because proper controls haven’t been put in place,” says Roger K. Sullivan, president of the Liberty Alliance Project management board.

The stories range from the tame to the tragic.

A student not happy with an administrator at school creates a profile on a social networking site. Even though the student is a woman she creates a profile that is a man and then flirts with the administrator in order to cause her embarrassment later.

At a Catholic school in the Chicago suburbs, an administrator monitors the popular social sites on a regular basis just to make sure nothing out of the ordinary is happening. She has run into instances where students create accounts in other peoples’ names – people who actually exist – and then make false statements. For example, one student set up an account as a real person from another school and made statements about the student’s sexual proclivities while giving out her real phone number.

In 2006, a fake profile led to the suicide of a 13-year-old Missouri girl. A classmate’s mother originally created the profile to find out if Megan Meier was saying anything bad about her daughter. But then it was used to gain Meier’s confidence and then to tear her down. Angry messages went back and forth, and it ended with Meier hanging herself.

There’s also the need to prevent pedophiles from contacting children online. MySpace has agreed with different states’ attorney generals to adopt better technologies that will help identify underage users so they can be protected from predators, but the social networking site hasn’t figured out how it’s going to do it.

The vast majority of sites don’t do anything to try to confirm the identities of members. The sites also don’t want to absorb the cost of trying to prove the identity of their members. Also, identifying minors is almost impossible because there isn’t enough information out there to authenticate their identity.

But this may all change. As sites become more scrutinized they will have to take steps to make sure people are who they say. “There will be a trend to use a third party that leverages database information that will be able to vouch for you and provide a more certain level of identification,” says Eric Skinner, chief technology officer at Entrust, an Addison, Texas-based digital identification vendor.

There are a handful of vendors that are offering online identity vetting. Most are working with financial institutions, but they see business opportunities with the social networking sites.

The article goes on to describe some social networks and their use of identity verification including one of our clients FunkySexyCool and their use of our system.It also discusses the privacy concerns related to age verification of minors and provides a possible solution the Liberty Alliance is discussing essentially related to ID 2.0

Liberty Alliance’s Sullivan, who is also vice president of Oracle Identity Management, says it’s only a matter of time before social networking sites offer tiers of identification assurance, which could be used to confirm a minor’s identity. For example, if a 14 year old wanted to sign up on MySpace without a parents’ permission they would be placed on the lowest ID tier. “They would be put into a question mark bucket,” Sullivan says.

But if one parent went online and confirmed his child’s identity they would be raised up a tier. If both parents did it they would go up two tiers. The parents would be authenticated through public records and online databases.

Eventually there would be a fourth tier as well. A minor would physically go to atrusted source with documents that prove their age and identity. These identity assurance sources don’t exist, but it’s something the Liberty Alliance is working toward, Sullivan says.

The next task force meeting will be later this month and I’m looking forward to seeing how the conversation progresses.I firmly believe we can find several ways to combat the issues at hand including both an educational approach and technological approach.

On another note, I’m off to the RSA Conference next week. IDology has a booth this year so if you are in San Fran, stop by and see us.

We had the kick-off meeting for the Internet Safety Technical Task Force this week.As I expected, there are a lot of differing opinions of the committee members.It should be an interesting year to watch how things progress.

I believe the key to progress is being able to listen and keeping an open mind. Which is just what I intend to do.

The Task Force is being led by John Palfrey who is the Executive Director at the Berkman Center for Internet & Society at Harvard Law School.And among its members are organizations concerned with this issue including Non-Profits, Academics, Prominent Internet Businesses and Technology Companies, of which IDology is one of the appointed members.Other member names you will recognize are AOL, Symantec, Microsoft, Verizon, Google, Facebook, Xanga, Yahoo, WiredSafety.org and more.

“We should work together – private firms, technologists, experts from the non-profit world and leaders in government – to solve online safety issues as a joint effort.”

I couldn’t agree more with Palfrey.The task force faces a very difficult issue where there are differing opinions.I believe all of its members need to keep an open mind and a team approach if we are going to make headway in solving this problem to create a safe online environment for our children.

I look forward to having healthy, productive discussions on the issues at hand.

Today’s press release out of North Carolina Attorney General’s Office Roy Cooper is a big deal.Here’s the first paragraph:

In a victory for social networking safety, Attorney General Roy Cooper and 49 other attorneys general today announced that MySpace has agreed to significant steps to better protect children on its web site, including creating a task force to explore and develop age and identity verification technology.

It’s been a long 2 years in this education process and the fruits of our labors are finally coming to fruition.Given MySpace’s leadership position and popularity, gaining recognition and cooperation from them will only serve to help advance identity and age verification technologies growth in the market.Here are some words that are music to my ears:

MySpace acknowledged in the agreement the important role of age and identity verification technology in social networking safety and agreed to find and develop on-line identity authentication tools.

Obviously there is still a lot of work to do but I’m glad to see that we are all going to roll up our sleeves together and do what is best for our kids – find a way to help keep them safe online.

I’m sure by now you’ve seen the news that the co-founder of MySpace has been caught faking his age on his MySpace profile. Quite ironic given the age verification issues social networks are facing these days. But now seems as good a time as any to say that age and identity verification doesn’t mean you can’t have an online persona that is or isn’t based on your true age.

While I would recommend not giving away any personally identifying information on your profile for the sake of safety (including your birthday), the point of having an age and identity verification solution within a social network is to function behind the scenes to verify someone is an adult and help us monitor what is appropriate for our kids.

There are two components to CSI Georgia which are prevention and enforcement. Prevention includes strong education and awareness initiatives towards caregivers, teachers and kids about the dangers of the Internet as well as how to stay safe. What I think is often overlooked in these discussions but definitely a strong component of any prevention initiative is the efforts ecommerce companies need to take to protect kids online. On the forum panel was Michael McKeehan, the Executive Director of Internet & Technology Policy from Verizon, which incidentally was the major sponsor of the event and is very committed to CSI Georgia as evident in their $25K grant announced during the event. This effort (and participation) by Verizon shows that the telecommunications industry is one of the leaders in taking proactive steps to protect kids not only in their education efforts but also their business practices as recommended through the CTIA guidelines regarding content access by minors. Boy, how I’m ready for the major social networks to follow the telecommunications industry example and adopt guidelines themselves.

In my personal efforts to further protect kids online through both promoting age verification and providing education, here are some programs you need to check out:

Georgia Emergency Management Agency (GEMA) – this organization offers a “The Internet and Your Child” free safety class for parents and anyone else who supervises children’s online activities. Topics include Windows basics, parental controls, popular Web sites for social networking, hacking, and protecting your privacy from identity thieves. Also instructors go online and pose as children to show participants the types of dangers children may be exposed to online.

Project Safe Childhood – the US Department of Justice launched Project Safe Childhood which includes a new outreach program called “eSafe Georgia.” eSafe Georgia is a pilot program which involves training high school students to be experts in internet safety, technology and public speaking who will then film presentations about these topics to be presented in middle school assemblies, classes and school newscasts this year. Additionally eSafe Georgia teams will travel to middle school classes to provide instructions about playing “Missing” an interactive internet safety game produced by WebWise Kids.

The Family Online Safety Institute – an international, non-profit organization that facilitates the meeting of thought leaders in technology and policy in order to find innovative solutions for family online safety. Here you can get access to The ParentalControl Bar which is a free public service that helps concerned parents prevent their children from accessing adult-oriented Web sites as well as some great materials to help you start discussing these issues with kids.

I commend Second Life on their decision to offer a voluntary verification policy for their members.They are the first big social network to take a step toward adopting this technology.

The way I understand it, if you are a member that has chosen not to be verified you won’t be allowed access into any land that is flagged as restricted but you can stay in the PG-13 type of areas.

I’ve visited Second Life’s blog post where this announcement was made and read a bunch of the comments.One in particular makes me want to stress an important difference we think businesses must consider when selecting an identity provider and that is if the vendor is an independent 3rd party:

You say that “Linden Lab does not share Resident data for marketing or other purposes”, can someone from LindenLab state for the record that Integrity will do the same??

Many data providers offer identity verification solutions which makes sense given they collect, store and sell data as their primary business and data is a crucial part of verification.But being a seller of data and also capturing data for verification, could definitely create a conflict of interest in the minds of consumers about how their data will be used.And it also has the potential to limit match rates because the data being used is limited to the sources of that particular vendor.

Back in February we released a whitepaper about identity verification which included some questions to consider when selecting an id verification vendor.Two come to mind right now and are worth pointing out here:

Does the vendor promote the responsible use of data?
The right solution will have strict protocols for using and sharing data and will access data on a real-time basis, not collect and store it for any other purpose.Additionally, the system should provide different permission levels to limit how much and what type of data is shared within your business.

What data sources are used?
Find a vendor that works with multiple providers and does not restrict its data to any single data provider.The system should be designed with the ability to access multiple independent data sources including foreign data.